What You'll Need
- A read-only AD service account (no admin rights required)
- LDAPS reachable on port 636 from the connector host
- The base DN for your directory (e.g. DC=corp,DC=example,DC=com)
- ~15 minutes to complete setup
Create a Read-Only Service Account
Log in to a domain controller or a machine with Active Directory Users and Computers (ADUC) installed.
In ADUC, create a new user account dedicated to Clariti — for example svc-clariti-readonly. Set a strong, non-expiring password. This account needs no administrative rights.
Grant the account Read permission on the domain root or the specific OUs you want Clariti to ingest. In ADUC, right-click the OU or domain root → Properties → Security → Add the service account and grant Read and List Contents.
Gather Your Credentials
You will need three values to complete the connection in Clariti:
| Field | Example |
|-------|---------|
| Bind DN | CN=svc-clariti-readonly,OU=Service Accounts,DC=corp,DC=example,DC=com |
| Bind Password | The password you set for the service account |
| Base DN | DC=corp,DC=example,DC=com |
The Bind DN is the full distinguished name of the service account. You can copy it from the account's Properties → Attribute Editor → distinguishedName in ADUC, or run Get-ADUser svc-clariti-readonly | Select DistinguishedName in PowerShell.
Enter Credentials in Clariti
| Value from vendor console | Paste into Clariti field |
|---|---|
Bind DN | Bind DN |
Bind Password | Bind Password |
Base DN | Base DN |
Verify Connection
Click Test Connection in Clariti. A successful connection returns a green checkmark. The connector uses LDAPS (port 636) for all communication — ensure the domain controller's certificate is issued by a trusted CA or that the connector host trusts the domain's CA.
Troubleshooting
- LDAP_INVALID_CREDENTIALS — Double-check the Bind DN (must be the full distinguished name, not just the username) and the Bind Password.
- Connection timeout — Confirm port 636 (LDAPS) is open between the connector host and the domain controller. Port 389 (plain LDAP) is not used.
- Insufficient access — The service account may lack Read permission on the target OUs. Re-check the ADUC permissions and ensure inheritance is enabled.
- Certificate error — The domain controller's TLS certificate must be trusted by the connector host. Install the enterprise CA certificate in the connector's trust store if needed.